Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Generating email alerts of overactive source IPs

From: Claude Bailey <Claude.Bailey () RIAG com>
Date: Tue, 8 May 2001 16:22:23 -0500
I use this script with an hourly cron job to send me an email listing of any
source ip addresses that have tripped more than a certain number of Snort
alerts during the last hour.  Hope you find it useful.

Claude Bailey



#!/usr/local/bin/perl
#
# Filename:    overactive_ip.pl
# Author:       Claude Bailey, modified from script by Andrew R. Baker
# Modified:     2001.04.10
# Purpose:      This script is intended to run as an hourly cron job
#               to send an administrator an email containing the ip
#               address of any source host tripping more than a certain
#               number of Snort alerts.  The script
#               handles only the new format of "-A fast" alerts
#
#
use Getopt::Std;

if($ARGV[0] eq undef)
{
   print STDERR "USAGE: overactive_ip.pl <alertfilename>\n";
   exit;
}


open(INFILE,"< $ARGV[0]") || die "Unable to open file $ARGV[0]\n";


while(<INFILE>) {
  chomp();
  # if the line is blank, go to the next one
  if ( $_ eq "" )  { next }

  # is this a "new" style fast alert
  if( $_ =~ /^.+\s\[\*\*\](\s)*.+\[\*\*\]\s/) {
    # split the alert apart
    ($datentime,$alert,$srcdest) = split(/\s\[\*\*\]/,"$_");
    ($src,$arrow,$dest) = split(' ',"$srcdest");
    ($saddr,$sport) = split(/:/,"$src");
    ($daddr,$dport) = split(/:/,"$dest");
    $alert =~ s/^(\s)*//;
    $alert =~ s/\s/_/g;
$a = "$saddr $alert $daddr $datentime";
    } else {
      print STDERR "Warning, file may be incomplete\n";
      next;
  }
# put the alerts into a list
  push (@alerts, $a);
}
close(LOG);

#sort the alerts
  @list =  sort(@alerts);
# Determine source IPs with multiple alerts
  $source="";
  $message="";
  $count=0;
  $size = @list;
  for ( $i = 0 ; $i < $size ; $i++ ) {
    $a = $list[$i];
    ($saddr,$alert,$daddr,$datentime) = split(/\s/,"$a");
    if (($source eq $saddr) and ($message eq $alert)) {
        next; }
    if (($source eq $saddr) and ($message ne $alert)) {
        $message = $alert;
        $count += 1;  }
#set the excess alert count value on the next line
    if ($count > 3) {
       push (@multialerts, $source); }
    if ($source ne $saddr) {
       $source = $saddr;
       $message = $alert;
       $count = 0; }
  }
# write IPs with excessive alerts to a file
#open(OUT, '>alertsorted') or die "Couldn't open the multialerts file";
#print "IPs with 4 or more alerts \n";
Previous By Date Next
Previous By Thread Next

Current thread: